One of our customers which we deliver services to want us to sign their Data Processor Agreement. However the scope of this agreement list a lot more personal data types than we process. The scope seems to be general (exhaustive list) so they can use the same scope for all suppliers instead of describing the scope of the explicit Data Processing we will do. Is this acceptable according to EU GDPR?
The Data Processing Agreement should be in accordance with the requirements of EU GDPR art. 28(3) “Processor” https://advisera.com/eugdpracademy/gdpr/processor/ states among others that the Data Processing Agreement must contain a description of:
- scope, nature and purpose of processing;
- duration of the processing; and
- types of personal data and categories of data subjects.
So, as you can see it must refer to the data which is actually processed.